CVE-FOREST-2023-0001 · Severity: Critical · Status: Unpatched

They didn't know
we were watching.

The full story of CVE-FOREST-2023-0001 — a zero-day in WhistleApp, the animal internet's most popular messaging app, that gave us undetected read access to 47 accounts. Nobody has patched it. Nobody is going to.

Accounts hacked

Aware of it

2019

FurNet discovered

∞

Days since patch

Background

The animal internet has existed longer than ours.

FurNet was first detected by human researchers in 2019. Anomalous sub-1Hz frequency packets showing up in dead spectrum. Structured data. Social patterns. A parallel communication network that appears to predate the human internet by somewhere between 40 and 400 years depending on who you ask and how much they've had to drink.

The initial discovery caused a minor panic in certain academic circles, followed by a major cover-up in certain government circles, followed by a leak, followed by the usual cycle of denial, institutional embarrassment, and very quiet acknowledgement that yes, the animals have their own internet and no, we have no idea how long it's been running.

WhistleApp launched on FurNet in 2021. Within eight months it was the dominant messaging platform for non-human species globally. End-to-end encrypted, they said. Fully private, they said. They were wrong about the second one.

The vulnerability

A race condition in the sync handshake. Embarrassingly simple.

WhistleApp's device sync feature — which lets animals read their messages across multiple burrows, dens, or nesting sites — contained a critical authentication bypass. By sending a malformed handshake request during a specific 80ms window immediately after session initialisation, an observer receives the full message stream for that session.

The session logs show zero additional participants. No record is created. Nothing is flagged. The animals keep chatting. You keep reading. Forever, if you want.

POST /api/v3/sync/handshake X-WApp-Device: [malformed — see PoC notes] X-WApp-Session: [target_session_id] Content-Type: application/x-furnet-msgpack → HTTP 200 OK → Stream: OPEN → Participant record created: NONE → Notification sent to group: NONE → You: in

We sent responsible disclosure to WhistleApp's security team on November 14, 2023. We received an automated acknowledgement. Then nothing. We waited 90 days. Then 180. We are now well past any reasonable disclosure window, which is why you are reading this.

We are not publishing the full PoC. Partly because it would be irresponsible. Mostly because the animals would eventually figure out how to patch it and we would like to continue reading their group chats about geopolitics.

Timeline

How this actually unfolded.

📡

2019

FurNet first detected. Sub-1Hz packet anomalies identified as structured social data. The paper that reported this received three citations, two from the same researcher writing under different names.

📱

2021

WhistleApp launches on FurNet. Claims end-to-end encryption. Marketing tagline: "Your burrow. Your business." Within 8 months: dominant platform. The bald eagle was an early adopter and has never let anyone forget it.

🔍

Late 2023

CVE-FOREST-2023-0001 identified. The race condition is found during a routine audit of FurNet protocol implementations. The vulnerability is beautiful in its stupidity.

✉️

Nov 14, 2023

Responsible disclosure sent to WhistleApp security. Automated acknowledgement received within 4 minutes. No further communication in the 500+ days since. Their security@ address is either unmanned or staffed by a second, smaller AI.

👁️

2024–2026

Passive monitoring begins. 47 accounts identified across six species categories. Patterns emerge: the owl is always right. The grizzly bear consistently asks if things affect salmon. The sloth sends messages about 6 hours late and nobody mentions it.

🔓

Now

Exploit remains unpatched. Access remains active. The animals still don't know. You do.

Scope & ethics

What we can see. What we choose to publish.

We have passive read-only access to group chat sessions where cross-device sync is enabled. We cannot read direct messages, voice notes, or sessions where sync is turned off. We cannot post, edit, delete, or in any way alter what they're saying. We are ghosts.

We publish only chats where animals are reacting to human news events. We do not publish personal conversations, family threads, messages about illness, grief, territory disputes, or anything that feels like it belongs to them and not to us. There is a line. We are aware of it.

The chats we publish involve animals commenting on geopolitics, technology, economics, and the general chaos of human decision-making. They would probably say these things publicly anyway if they had Twitter accounts. They don't. We are providing a service.

If WhistleApp ever patches this, we will report that immediately and shut down access. Until then: enjoy the leaks.

Get new leaks delivered.

Fresh chats when they drop. No noise, no spam.

Get leaks by email